Bypassing user mode redirection

ABSTRACT

In one embodiment, a non-transitory processor-readable medium stores code associated with a function module included in a resource library. The code can represent instructions that when executed cause a processor to define, in response to a function hook associated with the function module, a copy of the resource library, the copy of the resource library including an unhooked copy of the function module. The code can further represent instructions that when executed cause the processor to execute the unhooked copy of the function module based on at least one policy from a plurality of policies.

BACKGROUND

Embodiments described herein relate generally to hooked functions, andmore particularly to the bypassing of a function hook to access originalcode included in an unhooked copy of a function.

User-mode hooks can enable the processing of a given function or moduleto be redirected such that custom instructions (e.g., code) are executedprior to and/or in lieu of the default instructions associated with thatfunction or module. In this manner, enhancements such as customization,monitoring, debugging and/or virtualization can be added to the defaultfunctionality of the function or module. For example, a function hookcan help provide application virtualization, network monitoring,anti-virus protection and/or debugging tools, each defined by custominstructions that are executed in conjunction with or in place of theoriginal instructions of the hooked function.

This method of enhancing an existing function imposes constraints onother third-party modules also designed to enhance the hooked functionthrough, for example, additional function hooks. Because the hookingprocess redirects the processing of the function or module to analternative location in memory where the custom code resides, additionalthird-party enhancement modules are typically incapable of accessing theoriginal code and/or memory locations associated with the original(unhooked) portion of the now-hooked function. For example, an add-onmodule that interacts with a function already virtualized through ahooking process is typically unable to access one or more systemresources associated with the virtualized function (such as files andregistry entries) because the hooked/virtualized function redirects suchaccess requests to its own set of memory locations, distinct from thoseof the original function.

Thus, a need exists for methods and apparatus that allow a module tobypass a function hooking mechanism and execute and/or otherwise obtainaccess to original code and/or resources of a hooked function.

SUMMARY

In one embodiment, a non-transitory processor-readable medium storescode associated with a function module included in a resource library.The code can represent instructions that when executed cause a processorto define, in response to a function hook associated with the functionmodule, a copy of the resource library, the copy of the resource libraryincluding an unhooked copy of the function module. The code can furtherrepresent instructions that when executed cause the processor to executethe unhooked copy of the function module based on at least one policyfrom a plurality of policies.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic illustration of a computing device storing afunction module and a hooked function bypass module, according to anembodiment.

FIG. 2 is a schematic diagram illustrating an execution sequence of aseries of instructions associated with a hook bypass and stored in amemory, according to an embodiment.

FIG. 3 is a flow chart illustrating a method of implementing a hookbypass hook on a function module, according to an embodiment.

FIG. 4 is a flow chart that illustrates a method of executing custominstructions as part of a user-mode hook bypass, according to anembodiment.

DETAILED DESCRIPTION

In some embodiments, a hook bypass module can insert, into a functionmodule, one or more instructions configured to cause a processor to: (1)jump from a first memory location storing an initial instruction of thefunction module; (2) execute one or more custom instructions defined bythe hook bypass module; and (3) jump back to a second memory locationstoring a subsequent instruction of the function module to completeexecution of the function module.

The hook bypass module can be stored, for example, in a memory coupledto a processor of a computing device. The memory can be, for example, aRandom Access Memory (RAM), Read-only Memory (ROM), flash memory, orother memory type. The processor can be a Central Processing Unit (CPU),such as a Reduced Instruction Set Computer (RISC) processor or otherprocessor.

In some embodiments, the custom instructions inserted by the hook bypassmodule can cause a processor to determine whether one or more bypasspolicies has been satisfied. For example, the custom instructions cancause a processor to determine whether an instance of the functionmodule invoked by a running program includes a request for user data.Alternatively, the custom instructions can direct a processor todetermine whether one or more system settings and/or environmentvariables is of a predefined value or above or below a predefinedthreshold. In some embodiments, the custom instructions can instruct aprocessor to define a copy of the function module when one or more ofthe bypass policies is satisfied. The copy of the function module cansubsequently be used by the processor (i.e., executed) to bypassexecution of the original function module (which may potentially havebeen hooked by another third-party module or application). The copy ofthe function module can optionally be included in a copy of a resourcelibrary, the original resource library including the original functionmodule. The running program can be, for example, a running application,process, daemon, thread, etc.

The custom instructions can further cause a processor to execute atleast a portion of the copy of the function module. In this manner, theprocessor can execute instructions identical to those of the originalfunction module indicated by the running program, thereby preservingfunctionality of the original function module while bypassing anyfunction hooks implemented thereon. In some embodiments, a final custominstruction inserted by the hook bypass module can be a jump instructionconfigured to cause a processor to jump back to a location in memorypast that of any jump instructions associated with any pre-existingfunction hooks of the original function module. For example, the jumpinstruction can cause the processor to jump to a memory locationassociated with a final instruction of the original function module, orto an alternative memory location associated with a portion of therunning application immediately following a reference to or invocationof the original function module.

FIG. 1 is a schematic illustration of a computing device storing afunction module and a hooked function bypass module, according to anembodiment. More specifically, FIG. 1 is a system block diagram of acomputing device 100 that includes a processor 110 and a memory 120. Thememory 120 includes code configured to cause a processor, such as theprocessor 110, to execute a running application 121 that accesses aresource library 122 (both stored at the memory 120). As shown in FIG.1, the memory 120 further includes a resource library copy 124, afunction hook module 126 and a hook bypass module 127. As also shown inFIG. 1, the resource library 122 includes a function module 123 and theresource library copy 124 includes a function module copy 125. As can beimplied by their respective names, the resource library copy 124 can bea bit-for-bit copy of the resource library 122, and, accordingly, thefunction module copy 125 can be a bit-for-bit copy of the functionmodule 123. Said differently, the resource library copy 124 can be anexact copy of the resource library 122 (and thus the function modulecopy 125 can be an exact copy of the function module 123). In someembodiments, the resource library copy 124 can be stored at a distinctlocation or address within the memory 120 from that of the resourcelibrary 122.

The computing device 100 can be a desktop, server, mainframe or mobilecomputing device capable of executing an embedded and/or non-embeddedoperating system. For example, the computing device 100 can be apersonal computer, such as a desktop, notebook, netbook, or laptopcomputer. The computing device 100 can alternatively be a server device,such as a server device configured exchange data via a local areanetwork (LAN), a wide area network (WAN), an intranet, the Internet, acellular telephone network, etc. The computing device 100 canalternatively be a portal computing device, such as a personal digitalassistant (PDA), a cellular telephone, a smartphone, a tablet computingdevice, a wearable computing device, etc. In some embodiments, thecomputing device 100 can be configured to execute an embedded ornon-embedded an operating system, such as an operating system includingmulti-tasking and/or multi-threading functionality.

The processor 110 can be any known type of microprocessor ormicrocontroller capable of executing instructions stored at the memory120. For example, the processor 110 can be a microprocessor designed foruse within a desktop or laptop computer, a Reduced Instruction SetComputer (RISC) processor, or other known type of processor.Instructions executed by the processor 110 can be, for example,instructions included in, represented by and/or based on the runningapplication 121, the resource library 122, the resource library 124, thefunction hook module 126 and/or the hook bypass module 127. Theinstructions can be, for example, compiled high-level programminglanguage code, assembly language code, or other code converted intomachine-readable object code (such as binary code comprised of a seriesof opcodes and one or more operands).

The memory 120 can be of a known physical memory type, such as RandomAccess Memory (RAM), Read-only Memory (ROM), flash memory, a hard diskdrive, etc. As shown in FIG. 1, the memory 120 stores code configured tocause a processor, such as the processor 110, to execute each of therunning application 121, the resource library 122, the resource library124, the function hook module 126 and/or the hook bypass module 127.

The running application 121 can be any executable hardware-based and/orsoftware-based application or module configured to provide functionalityto a user of the computing device 100. For example, the runningapplication 121 can be a productivity application, such as aword-processing application, a spreadsheet application, etc.Alternatively, the running application 121 can be another type ofapplication, such as a networking application, a web client, a gamingapplication, etc.

The resource library 122 can be any hardware-based and/or software-basedlibrary including one or more functions, subroutines, submodules, etc.For example, the resource library 122 can be a function or methodlibrary, such as a Dynamic Link Library (DLL), an Executable and LinkingFormat (ELF) library, or other similar library file or package of files.As shown in FIG. 1, the resource library 122 can include a functionmodule 123. In some embodiments, the resource library 122 can bereferenced, invoked and/or otherwise accessed by the running application121. The running application 121 can access the resource library 122via, for example, a runtime include process configured to pre-load thecontents of the resource library 122 (e.g., the function module 123) forsubsequent access during the execution of the running application 121.In some embodiments, the resource library 122 can be loaded into therunning application 121 based on one or more modifications to an importdescriptor table or other resource table associated with the runningapplication 121.

As described above, the resource library copy 124 can include thefunction module copy 125, and can be a bit-for-bit copy of the resourcelibrary 122 including a bit-for-bit copy of the function module 123. Assuch, the resource library copy 124 can include one or more functions ormodules, each including the same instructions as its counterpartincluded in the resource library 122. As such, each function or moduleincluded in the resource library copy 124 can access the same memorylocations during execution as those of its counterpart from the resourcelibrary 122.

In some embodiments, the resource library copy 124 can be defined by thehook bypass module 127 upon a determination by the hook bypass module127 that one or more predefined policies has been satisfied. One or moreof these predefined policies can optionally be associated with therunning application 121 and/or the function hook module 126. In suchembodiments, the hook bypass module 127 can, based on the determination,reference, invoke, call or otherwise access the resource library copy124 (and thus, optionally, the function module copy 125) in lieu of theresource library 122 and (and thus, optionally, the function module123).

The function hook module 126 can be any hardware-based and/orsoftware-based module configured to define, insert, implement and/orexecute a function hook associated with the function module 123. Morespecifically, the function hook module 126 can be configured to insertan instruction, such as a jump instruction, into a first specifiedlocation in the memory 120 (e.g., a memory address associated with afirst instruction of the function module 123). The jump instruction canbe configured to direct the processor 110 to, upon execution of thisinstruction, “jump” (i.e., relocate its instruction pointer) to a secondspecified location in the memory 120 (i.e., a different memory address).In this manner, the function hook module 126 can (1) cause the runningapplication 121 to include custom instructions and/or code defined bythe function hook module 126 and (2) cause the processor 110 to executethe custom instructions and/or code before and/or in lieu of all or aportion of the instructions of the function module 123.

In some embodiments, the function hook module 126 can further instructthe processor 110 to, after execution of the custom instructions and/orcode, “jump back” to a third specified memory location associated with aspecified instruction of the function module 123. Said differently, thefunction hook module 126 can insert one or more instructions into anappropriate memory location such that, upon completion of the custominstructions and/or code associated with the function hook, theprocessor 110 returns to a predetermined point within the functionmodule 123. In this manner, the function hook module 126 can cause theprocessor 110 to define and execute a “hook” of or on the functionmodule 123. In some embodiments, the function hook module 126 can be,can include, or can be included in an application or process (such as athird-party application) configured to alter the functionality and/orexecution of at least a portion of the running application 121 (such asthe referenced/invoked function module 123 included in the resourcelibrary 122). For example, the function hook module 126 can be includedin a virtualization application configured to define and execute avirtualized instance of the running application 121. To do so, thefunction hook module 126 can hook one or more functions included inand/or invoked by the running application 121, thereby executing customcode and reading from/writing to one or more custom memory locationsassociated with the virtualization application.

The hook bypass module 127 can be any hardware-based and/orsoftware-based module configured to define, insert and/or execute aspecialized function hook associated with a function module (e.g., thefunction module 123). The specialized function hook can be similar instructure and implementation to the function hook described inconnection with the function hook module 126 above, but can insteadinclude custom instructions and/or code configured to bypass or“sidestep” any pre-existing function hooks already implemented on afunction module (e.g., the function hook implemented on the functionmodule 123 by the function hook module 126 as described above). Saiddifferently, the hook bypass module 127 can implement a “second-order”hook on a function module, the second-order hook configured to divertexecution of the function module away from any pre-existing hooks byredirecting the processor to custom code including at least a portion ofa copy of the function module.

More specifically, the hook bypass module 127 can cause the runningapplication 121 to execute custom instructions and/or code by insertinga jump instruction into or before a first line of the function module123. When executed as part of an instance of the function module 123,the jump instruction can cause the processor 110 to jump to a specifiedmemory location and continue execution of instructions from thatlocation. Then, at the memory location indicated by the jumpinstruction, the hook bypass module 127 can insert one or more custominstructions. The custom instructions can, when executed by theprocessor 110, provide desired functionality of the function module 123by invoking the function module copy 125 of the resource library copy124. The custom instructions can also include a jump command configuredto cause the processor 110 to jump back to a predetermined memorylocation to complete execution of the original instance of the functionmodule 123.

In this manner, the hook bypass module 127 can cause the processor 110to “jump” from the beginning of the function module 123 to executeanalogous instructions from the function module copy 125 before theprocessor 110 encounters any other function hooks associated with orimplemented on the function module 123. By so doing, the hook bypassmodule 127 can ensure that the desired instructions are executed andthat all memory accesses (i.e., reads and/or writes), are performed attheir original (i.e., non-hooked/pre-virtualization) locations, asopposed to those indicated by any previously-implemented hooks of thefunction module 123.

FIG. 2 is a schematic diagram illustrating an execution sequence of aseries of instructions associated with a hook bypass and stored in amemory, according to an embodiment. In FIG. 2, a memory 200 stores aplurality of instructions comprising an application module, a portion ofwhich are illustrated as application instruction block 210. The memory200 also stores a plurality of instructions comprising a functioninvoked or referenced by the application module, a portion of which areillustrated as function instruction block 220. The memory 200 furtherstores a plurality of instructions comprising a hook bypass module, aportion of which are illustrated as hook bypass instruction block 230.As shown in FIG. 2, each instruction from the application instructionblock 210, the function instruction block 220 and the hook bypassinstruction block 230 is associated with a memory location (i.e., amemory address) at which that instruction is stored or located. Althoughnot shown in FIG. 2, by referencing a given memory location from one ofthe above instruction blocks, a processor (e.g., the processor 110discussed in connection with FIG. 1 above) can execute that instruction,and then proceed to the numerically subsequent memory location unlessotherwise directed or interrupted.

The memory 200 can be any computer or device memory configured to storeinstructions associated with and/or comprising one or more modules orapplications. For example, the memory 200 can be a RAM, ROM, flashmemory, Solid State Drive (SSD), or other memory type capable of storingdata, such as one or more processor instructions formatted as machinelanguage or object code. Although not shown in FIG. 2, in someembodiments, the memory 200 can be included in a physical device, suchas a computing device (e.g., the computing device 100 discussed inconnection with FIG. 1). As such, the memory 200 can interact with aprocessor to allow execution of one or more applications or modules(e.g., the application module described above). In some embodiments, thememory 200 optionally includes a function hook module (not shown in FIG.2) configured to define and/or insert a first function hook on, to, orassociated with the function module described above. In FIG. 2, one ormore instructions associated with such a function hook module can bestored beginning at a memory location 1247 (as illustrated by a jumpinstruction stored at a memory location 734 within the functioninstruction block 220).

The application instruction block 210 can include instructionsassociated with and/or comprising a portion of the application module.In some embodiments, the application module can be or include anexecutable application configured to provide functionality to a user ofa computing device in which the memory 200 is located or to which thememory 200 is operatively coupled (not shown in FIG. 2). For example,the application module can be a productivity application, such as aword-processing application, a spreadsheet application, etc.Alternatively, the application module can be another type ofapplication, such as a networking application, a web client, a gamingapplication, etc. As shown in FIG. 2, the application instruction block210 can be comprised of multiple instructions, such as the instructionsstored at memory locations 521-524. In some embodiments, eachinstruction can include one or more operations or directives to beexecuted by a processor. As shown in FIG. 2, one or more instructionscan be, for example, a “jump” instruction configured to direct aprocessor to execute its next instruction at a memory location indicatedby that jump instruction. More specifically, in FIG. 2 the instructionstored at memory location 522 is a jump instruction included in theapplication instruction block 210 and configured to cause a processor tocommence execution of the function instruction block 220 by proceedingto execute the instruction stored at memory location 733.

The function instruction block 220 can include instructions associatedwith and/or comprising a function module referenced, accessed and/orinvoked by the application module. The function module can optionally beincluded in a resource library (as described in connection with theresource library 122 of FIG. 1 above). As shown in FIG. 2, the functioninstruction block 220 includes an initial instruction stored at memorylocation 733. In FIG. 2, this instruction is a jump instruction thatdirects a processor to next execute an instruction stored at memorylocation 978. In some embodiments, the instruction stored at memorylocation 733 can be an instruction inserted at the beginning of thefunction module (and thus the function instruction block 220) as part ofa hook bypass operation, and can be configured to direct a processor toexecute the instructions of the hook bypass instruction block 230 beforeproceeding to execute one or more remaining instructions included in thefunction instruction block 220.

The hook bypass instruction block 230 can include one or moreinstructions configured to cause a processor to execute custom codeassociated with a hook bypass (e.g., s the hook bypass functionalitydiscussed in connection with the hook bypass module 127 of FIG. 1). Morespecifically, the hook bypass instruction block 230 can includeinstructions configured to cause a processor to define a copy of atleast a portion of the function module (including, for example, thefunction instruction block 220). In some embodiments, the copy of thefunction module can be included in a copy of a resource library in whichthe function module is included, the copy of the resource library beingdefined based on one or more instructions of the hook bypass instructionblock 230. In some embodiments, the hook bypass instruction block 230can define a copy of a portion of the function module so as to providesimilar or identical functionality to that of the original functionmodule. In this manner, the hook bypass instruction block 230 can allowthe application module to execute the copy of the function moduleinstead of the original function module, thereby bypassing any existingfunction hooks associated with or implemented on the original functionmodule.

In some embodiments, the hook bypass instruction block 230 can defineand/or execute the copied instructions from the function module based onone or more predefined policies. For example, the hook bypass module candefine and/or execute the copied, identical instructions when thefunction module has been invoked by the application module to access(e.g., store or retrieve) data associated with a user. In the example,the hook bypass instruction block 230 can include instructionsconfigured to determine whether the function module has been invoked toaccess data associated with a user, and, if so, execute the appropriateinstructions from the copy of the function module. Thus, by executingthe hook bypass instruction block 230, the processor can store and/orretrieve data at or from one or more original memory locations indicatedby the function module—as opposed to any alternative memory locationsindicated by custom code associated with one or more existing functionhooks implemented on the function module. In the event that none of theone or more predetermined policies is satisfied, one or moreinstructions included in the hook bypass instruction block 230 canoptionally instruct the processor to jump back to a predeterminedlocation in memory, such as a memory location immediately following thememory location from which the processor had previously jumped tocommence execution of the hook module bypass instruction block 230 (or,alternatively, another memory location associated with the functionmodule).

As indicated in FIG. 2, a processor can execute the applicationinstruction block 210 included in the application module, starting withthe instruction stored at memory location 521. Having executed thisinstruction, the processor can proceed to execute the instruction storedat memory location 522, which invokes the function module by instructingthe processor to jump to memory location 733 (i.e., the firstinstruction of the function instruction block 220) and execute theinstruction stored thereat.

Having proceeded to memory location 733, the processor can execute theinstruction stored at this memory location. As shown in FIG. 2, due toan inserted function hook associated with the hook bypass module, thisinitial instruction associated with the function module is a jumpinstruction directing the processor to jump to execute an instructionstored at memory location 978 (i.e., a first instruction included in thehook bypass instruction block 230). The processor can next execute oneor more custom instructions included in the hook bypass instructionblock 230 and then return to continue or complete execution of thefunction module. As discussed above, these one or more custominstructions can be configured to cause the processor to define andexecute a portion of a copy of the function module, thereby mimickingoriginal functionality of the function module while storing data andand/or retrieving data from memory locations indicated by the originalfunction module (as opposed to any memory locations associated with, forexample, any function hooks inserted in the function instruction block220 at a memory location after that of the jump instruction stored atmemory location 733).

Once it has completed execution of the custom instructions included inthe hook bypass instruction block 230, the processor can follow a jumpinstruction to “return” to the function instruction block 220 at aspecified memory location, and continue execution from that point. Forexample, as shown in FIG. 2, the processor can execute the instructionsat memory locations 978-980, and then follow the directive of the jumpinstruction stored at memory location 981 to return to memory location735. In this manner, the processor can execute the remaininginstructions included in the function instruction block 220, starting atmemory location 735 (i.e., the memory location immediately following amemory location (734) containing a jump instruction to another memorylocation (1247) associated with a previously-inserted function hook). Atthis point, the processor can continue to execute the functioninstruction block 220 until completion. Said differently, the processorcan execute instructions stored at the memory locations 735-737, andthen follow the final jump instruction (stored at memory location 738)to exit the function module and return to memory location 523 (withinthe application instruction block 210), at which point it can continuenormal execution of the instructions of the application module.

FIG. 3 is a flow chart illustrating a method of implementing a hookbypass hook on a function module, according to an embodiment. Morespecifically, FIG. 3 illustrates a method of decompiling at least aportion of an executable program, inserting custom instructionsconfigured to implement a hook bypass hook on a function module calledby the program and recompiling the decompiled and inserted portionsprior to program execution.

A hook insertion module can identify a memory location of a start of afunction module, 300. In some embodiments, a hook insertion module canbe executed at a device, such as a computing device similar to thecomputing device 100 of FIG. 1. The hook insertion module can beconfigured to identify a memory location of a first instruction of anindicated function module (i.e., the function module to which the hookbypass hook is to be inserted). In some embodiments, the hook insertionmodule can be executed by a processor operatively coupled to a memory inwhich the hook insertion module and/or the function module is stored,such as the processor 110 and the memory 120 discussed in connectionwith FIG. 1.

The hook insertion module can disassemble an initial portion of thefunction module into assembly language, 310. More specifically, the hookinsertion module can identify a relevant portion of the function module(e.g., the first instruction of the function module) and convert thatportion from machine code (i.e., binary code including opcodes andoperands) into assembly language or code. The hook insertion module canoptionally then convert the assembly code into high-level programmingcode.

Having converted the relevant portion of the function module intoassembly code, the hook insertion module can insert an assembly jumpinstruction at the start of the function module, 520. More specifically,the hook insertion module can insert one or more instructions configuredto cause a processor, when executing the function module, to “jump” to aspecified memory location and being executing instructions at thatmemory location. In some embodiments, the specified memory location canbe a memory location at which custom instructions/code associated withthe hook bypass is located.

Next, the hook insertion module can insert the one or more custominstructions at the specified memory location, 330. More specifically,the hook insertion module can store or write, at the specified locationin memory, custom instructions configured to implement the hook bypass.For example, the custom instructions can include one or moreinstructions that direct a processor to determine whether one or morepredefined policies or rules has been satisfied. The custom instructionscan further include instructions configured to cause the processor todefine a copy of the function module (or a copy of a resource library inwhich the function module is included) when the processor determinesthat one or more of the predefined policies or rules has been satisfied.

Having inserted the custom code associated with the hook bypass, thehook insertion module can next insert, at the end of the custom code, ajump instruction configured to cause a processor to jump back andcontinue execution of instructions associated with the function module,340. In some embodiments, the jump instruction can be configured tocause the processor to continue execution of the function module at amemory location further down the execution sequence than where it exitedthe function module per the initial jump instruction inserted at step520 above. In this manner, the processor can “jump over” or “bypass” oneor more other jump or other instructions associated with one or moreother hooks of the function module, thus ensuring that the custominstructions inserted in step 330 are executed by the processor, to theexclusion of any instructions associated with the one or more otherfunction hooks.

Having inserted all instructions necessary to insert the bypass hook,the hook insertion module can recompile the edited/inserted portions,350. More specifically, the hook insertion module can recompile theedited/inserted portions of the function module into machine or objectcode ready for execution by a processor. In some embodiments, the hookinsertion module can reinsert the newly-compiled portions into theappropriate locations in memory, so as to not disrupt proper executionof the function module at runtime. Although not shown in FIG. 3, in someembodiments the hook insertion module can include a running process,daemon or other module configured to check, on a periodic basis or atthe termination of an application, process, or thread, whether anycurrently-executing application, process or thread includes a referenceto the copy of the resource library (or the copy of the function moduleincluded therein). In such embodiments, the hook insertion module candelete the copy of the resource library (and thus the copy of theincluded function module) upon determining that no such application,process or thread includes a reference to or invocation of the copy ofthe resource library.

FIG. 4 is a flow chart that illustrates a method of executing custominstructions as part of a user-mode hook bypass, according to anembodiment. More specifically, the flow chart illustrates a number ofinstructions included in a hook bypass module that can be executed by aprocessor as part of a user-mode hook bypass operation.

The processor can commence execution of instructions at a specifiedmemory location, 400. The instructions can be, for example, custom codeincluded in a hook bypass module and configured to mimic a portion of afunction module being bypassed. In some embodiments, a processor cancommence execution of the custom code at the specified memory locationin response to a jump instruction inserted as the first instruction of afunction module, the jump instruction directing the processor to beginexecuting instructions at the specified memory location instead ofcontinuing to the next instruction included in the function module.

The processor can next define a copy of a resource library that includesthe function module, 410. In some embodiments, the resource libraryand/or the copy of the resource library can be a DLL or other resourcelibrary including one or more function modules, submodules, subroutines,methods, object definitions, etc. In some embodiments, the copy of theresource library can have an identifier different from an identifier ofthe resource library. For example, the copy of the resource library canhave a file name sufficient to identify it as a copy of the resourcelibrary, but different from the identifier of the original resourcelibrary file. The copy of the resource library can include a copy of thefunction module. In some embodiments, the copy of the function modulecan be a bit-for-bit copy of the function module being bypassed. Theprocessor can also optionally define the copy of the resource librarybased at least in a part on a pointer value indicating a location inmemory and/or at a storage device (e.g., a hard drive, a flash memorydrive) at which the resource library is currently stored. Rather than aspart of a set of custom code instructions associated with a hook bypassoperation, in some embodiments, the processor can optionally define thecopy of the function in response to a user system and/or network logon,or in response to another user-initiated or system-based event.

In some embodiments, the processor can verify that the copy of theresource library and/or the function module is based on a current and/orup-to-date version of the resource library by, for example, referencinga local or network-based version list or definition associated with theresource library. If the processor determines that the copy of theresource library is not based on a current and/or up-to-date version ofthe resource library, the processor can request and receive a currentversion of the resource library, and accordingly define a copy of thatcurrent version of the resource library.

The processor can next determine if an invocation of the function modulein a running application includes a request for user data, 420. Saiddifferently, the processor can determine whether a reference to or callof the function module requests data associated with a user of therunning application and/or an operating system on which the runningapplication resides and/or is currently executing. Alternatively, theprocessor can determine whether one or more other predefined bypasspolicies is met. In this manner, the processor can determine whether abypass operation is necessary to, for example, preserve data integrityin the presence of a virtualization or other hook of the function module(i.e., to ensure that relevant data is read from and/or written to adesired memory location). For example, the processor can determinewhether the function module is stored at a specified device, such as aspecified remote device associated with a network (e.g., a virtualprivate network (“VPN”)). In another example, the processor candetermine whether a bypass is necessary based at least in part on acurrent value of a default system setting, a user preference setting,one or more system environment variables or parameters, a physicallocation of a user device, whether a current time falls within apredetermined time period, etc.

The processor can next invoke the copy of the function module includedin the copy of the resource library when the invocation of the originalfunction module includes a request for user data, 430. Morespecifically, based on the determination made in step 420 above, theprocessor can invoke all or a portion of the copy of the function modulewhen the invocation of the function module within the runningapplication includes a request for user data. For example, the processorcan call and execute relevant portions of the copy of the functionmodule associated with the retrieval of, operation on and/or storage ofone or more data associated with the user. By executing the relevantportions from the (unhooked) copy of the function module, the processorcan retrieve data from and/or store data to one or more memory locationsindicated by the copy of the function module, thereby avoiding anymemory location redirections inserted into or associated with theoriginal function module as part of one or more existing function hooksimplemented thereon.

Having completed execution of the bypass instructions (i.e., custom codeassociated with the hook bypass operation), the processor can return toan appropriate position within the referring portion of the runningapplication, 440. Said differently, the processor can next execute aninstruction stored at a memory location associated with a predeterminedpoint within the flow of the main program code. For example, theprocessor can follow a jump instruction included in the custom codedescribed above, and accordingly proceed to execute instructions of themain program at a point after the initial invocation of the functionmodule. In this manner, the processor can continue to execute therunning application, having bypassed any existing function hooksassociated with the function module, and alternatively executing thecustom code described above.

Some embodiments described herein relate to a computer storage productwith a non-transitory computer-readable medium (also can be referred toas a non-transitory processor-readable medium) having instructions orcomputer code thereon for performing various computer-implementedoperations. The computer-readable medium (or processor-readable medium)is non-transitory in the sense that it does not include transitorypropagating signals per se (e.g., a propagating electromagnetic wavecarrying information on a transmission medium such as space or a cable).The media and computer code (also can be referred to as code) may bethose designed and constructed for the specific purpose or purposes.Examples of non-transitory computer-readable media include, but are notlimited to: magnetic storage media such as hard disks, floppy disks, andmagnetic tape; optical storage media such as Compact Disc/Digital VideoDiscs (CD/DVDs), Compact Disc-Read Only Memories (CD-ROMs), andholographic devices; magneto-optical storage media such as opticaldisks; carrier wave signal processing modules; and hardware devices thatare specially configured to store and execute program code, such asApplication-Specific Integrated Circuits (ASICs), Programmable LogicDevices (PLDs), Read-Only Memory (ROM) and Random-Access Memory (RAM)devices.

Examples of computer code include, but are not limited to, micro-code ormicro-instructions, machine instructions, such as produced by acompiler, code used to produce a web service, and files containinghigher-level instructions that are executed by a computer using aninterpreter. For example, embodiments may be implemented using Java,C++, or other programming languages (e.g., object-oriented programminglanguages) and development tools. Additional examples of computer codeinclude, but are not limited to, control signals, encrypted code, andcompressed code.

While various embodiments have been described above, it should beunderstood that they have been presented by way of example only, notlimitation, and various changes in form and details may be made. Anyportion of the apparatus and/or methods described herein may be combinedin any combination, except mutually exclusive combinations. Theembodiments described herein can include various combinations and/orsub-combinations of the functions, components and/or features of thedifferent embodiments described. For example, in some embodiments anon-transitory processor-readable medium can store code configured todefine a hook bypass operation that causes two or more function modulesto include a jump instruction that directs a processor to the samememory location.

1. A non-transitory processor-readable medium storing code associatedwith a function module included in a resource library, the coderepresenting instructions that when executed cause a processor to:define, in response to a function hook associated with the functionmodule, a copy of the resource library, the copy of the resource libraryincluding an unhooked copy of the function module; and execute theunhooked copy of the function module based on at least one policy from aplurality of policies.
 2. The non-transitory processor-readable mediumof claim 1, further comprising code representing instructions that whenexecuted cause the processor to: verify that the copy of the resourcelibrary is based on a current version of the resource library.
 3. Thenon-transitory processor-readable medium of claim 1, wherein at leastone policy from the plurality of policies is based at least in part on:whether the function module includes an instruction to accessinformation associated with a user; whether the function module isstored at a specified device; a default system setting; a userpreference setting; one or more system environment parameters; aphysical location of a user device; and a predetermined time period. 4.The non-transitory processor-readable medium of claim 1, wherein thefunction hook is a first function hook associated with the functionmodule, and the copy of the resource library is defined when thefunction module is associated with a second function hook.
 5. Thenon-transitory processor-readable medium of claim 1, wherein anidentifier of the copy of the resource library is not identical to anidentifier of the resource library.
 6. The non-transitoryprocessor-readable medium of claim 1, wherein the unhooked copy of thefunction module is accessed based at least in part on a pointer to thecopy of the resource library.
 7. The non-transitory processor-readablemedium of claim 1, wherein the copy of the resource library is stored ina specified location in a memory operatively coupled to the processor.8. An apparatus, comprising: a processor; a memory, the memory storing afunction module at a first memory location, the function module beingincluded in a resource library; and a hook bypass module, the hookbypass module configured to: define a copy of the function module, anidentifier of the copy of the function module being different from anidentifier of the function module; store the copy of the function moduleat a second memory location; and access the copy of the function modulewhen the function module includes an instruction to access user data. 9.The apparatus of claim 8, wherein the function module is associated withat least one user-mode hook.
 10. The apparatus of claim 8, wherein thehook bypass module is associated with a second function hook, thefunction module being associated with a first function hook and thesecond function hook.
 11. The apparatus of claim 8, wherein the hookbypass module is further configured to define a copy of the resourcelibrary.
 12. The apparatus of claim 8, wherein the resource library is aDynamic Link Library (DLL).
 13. The apparatus of claim 8, wherein thefunction module has been modified based on a modification to an importdescriptor table associated with the resource library.
 14. Anon-transitory processor-readable medium storing code associated with arunning application, the code representing instructions that whenexecuted cause a processor to: determine that a function module beingaccessed by the running application includes an instruction to access auser datum at a first memory location; determine that the functionmodule is associated with a function hook module, the function hookmodule including an instruction to access the user datum at a secondmemory location; define a copy of the function module, the copy of thefunction module including the instruction to access user data at thefirst memory location; and execute the copy of the function module. 15.The non-transitory processor-readable medium of claim 14, wherein thecode further represents instructions configured to cause the processorto: define the copy of the function module in response to a user logon.16. The non-transitory processor-readable medium of claim 14, whereinthe function module is included in a resource library and the copy ofthe function module is included in a copy of the resource library. 17.The non-transitory processor-readable medium of claim 14, wherein thecopy of the function module is executed based at least in part on avalue of at least one of: whether the function module includes aninstruction to access information associated with a user; whether thefunction module is stored at a specified device; a default systemsetting; a user preference setting; one or more system environmentparameters; a physical location of a user device; and a predeterminedtime period.
 18. The non-transitory processor-readable medium of claim14, wherein the defining the copy of the function module is in responseto the determining that the function module is associated with thefunction hook module.
 19. The non-transitory processor-readable mediumof claim 18, wherein the defining the copy of the function module isconfigured to be performed before the determining that the functionmodule is associated with the function hook module.
 20. Thenon-transitory processor-readable medium of claim 14, further comprisingcode configured to cause the processor to: determine, in response to atermination of the running application, whether any currently runningapplication includes an instruction to access the copy of the functionmodule; and delete the copy of the function module when no currentlyrunning application includes an instruction to access the copy of thefunction module.